Suspending a riot process..how?

[Shub-Nigurrath]

Hi,
I'm working on a patch of a program and writing a loader for it.
But for it I have this problem: the SuspendThread won't suspend the thread.

I launch the victim process using CreateProcess in suspended mode as:

Code:

if( !::CreateProcess( victimFileName.c_str(), // No module name (use command line). 
	NULL,			  // Command line. 
	NULL,             // Process handle not inheritable. 
	NULL,             // Thread handle not inheritable. 
	NULL,             // Set handle inheritance to FALSE. 
	CREATE_SUSPENDED, // suspended creation flags. 
	NULL,             // Use parent's environment block. 
	NULL,             // Use parent's starting directory. 
	&si,              // Pointer to STARTUPINFO structure.
	&pi )             // Pointer to PROCESS_INFORMATION structure.
	) 
{
	MessageBox(NULL, GetLastErrorMsg().c_str(), MSG_CAPTION, 
		MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL); 
	return 1;
}

And then after an initial resume of the process, to skip the initial unpacking and wait the guard condition to come active (I wait a memory address assuming a specific value or the main program's window to appear). I do as following:

Code:

//Before patching the victim application it's better to suspend it..
//If we cannot for some protection suspend the application then
//a little of tentatives are tried:
//1. repeat several time SuspendThread (see comment below to see why)
//2. try to lower the priority
//3. try using the kernel counterparts zwSuspendThread and zwSuspendProcess
//4. open the process to get another process handle. 
// If all these things fails then closes the patcher with an error!
if(SuspendThread(pi.hThread)==-1) {
	//If the thread is making a kernel call, SuspendThread fails. 
	//An application may need to repeat the SuspendThread several times for it 
	//to succeed.
	int trials_count=0;
	BOOL skiptherest=FALSE;
	while(trials_count<=MAX_SUSPENDTHREAD_TRIALS) {
		if(SuspendThread(pi.hThread)!=-1) {
			skiptherest=TRUE;
			break;
		}
		trials_count++;
	}
	
	//Try to lower the the thread's priority.
	if(!skiptherest) {
		thPriority=GetThreadPriority(pi.hThread);
		if(thPriority!=THREAD_PRIORITY_NORMAL)
			SetThreadPriority(pi.hThread,THREAD_PRIORITY_NORMAL);
		if(SuspendThread(pi.hThread)!=-1)
			skiptherest=TRUE;
	}
	
	//Try suspending the process using kernel equivalent functions
	NTSTATUS ret=0;
	if(!skiptherest) {
		ret=ZwSuspendThread(pi.hThread, NULL);
		if(ret>0)
			skiptherest=TRUE;
	}
	if(!skiptherest) {
		ret=ZwSuspendProcess(pi.hProcess);
		if(ret>0)
			skiptherest=TRUE;
	}

	if(!skiptherest) {
		HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE, pi.dwProcessId);
		if(hProc==NULL) {
			MessageBox(NULL, GetLastErrorMsg().c_str(), MSG_CAPTION, 
			MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL); 
			return 1;
		}
		pi.hProcess=hProc;
		bProcessOpened=TRUE;
		NTSTATUS ret=ZwSuspendProcess(pi.hProcess);
		if(ret>0)
			skiptherest=TRUE;
	}

	if(!skiptherest) {
		::MessageBox(NULL, GetLastErrorMsg().c_str(), MSG_CAPTION, 
			MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL); 
		return 1;
	}
		
}

then patch it using writememory..

I don't know if all the tentatives are sensefull or not, but all fails as well as the simple SuspendThread.

Anyway a simple SuspendThread has worked fine for all the loaders I wrote, this is the first time I cannot suspend the process at all.

Any suggestion regarding this will be extremely welcome!

10x in advance!